• FIPS 140-1
    • Originally published in 1994
    • Items tested under this standard are still valid
  • FIPS 140-2
    • Originally published in 2001
  • FIPS 140-3
    • Currently in draft form, publishing date unknown
    • Drafting of the standard began in 2005


Software/Hardware/firmware that employs cryptographic services:

  • Encryption
  • Signature
  • Hashing
  • Authentication
  • Key management (generation, storage, import, export)


Three key components to FIPS 140-2

  • FIPS 140-2 Standard
  • FIPS 140-2 Derived Test Requirements (DTR)
  • FIPS 140-2 Implementation Guidance (IG)


Eleven Security Areas

  • Cryptographic Module Specification
  • Cryptographic Module Ports and Interfaces
  • Roles, Services, and Authentication
  • Finite State Model
  • Physical Security
  • Operational Environment
  • Cryptographic Key Management
  • EMI/EMC requirements
  • Self Tests
  • Design Assurance
  • Mitigation of Other Attacks


Levels of Security

  • Four levels - Level 1 thru Level 4
  • Level 1 is the lowest, Level 4 most stringent
  • Requirements are primarily cumulative by level
  • Levels assigned for each of the 11 security sections
  • Overall rating is lowest rating in all sections
  • module must be configured and operated inaccordance with the level it was validated


CC Security Considerations For crypto Modules

  • Level 1: No CC requirement
  • Level 2: EAL-2 Evaluated OS
  • Level 3: EAL-3 Evaluated OS
  • Level 4: EAL-4 Evaluated OS


Approved Security Functions

  • Symmetric Key – AES, Triple-DES, Skipjack
  • Asymmetric Key –DSA, RSA, ECDSA
  • Message Authentication – DES MAC, Triple-DES Mac, Enhanced Security DES, CCM Mode
  • Hashing – Secure Hash Standard (SHS) – SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512
  • Keyed Hash – HMAC
  • Random Number Generator –Approved Random Number Generators for FIPS 140-2, Security Requirements for Cryptographic Modules.